An upcoming European cybercriminal group FusionCore was found selling ‘SarinLocker’, a new ransomware detected by security researchers.
The SarinLocker ransomware, which was being advertised on underground forums and Telegram, leaves a ransom note demanding payment in cryptocurrency.
As part of FusionCore’s affiliate program, ransomware, and affiliate software have been made available to other criminals for attacks, a Cyfirma report highlighted.
On further examination, researchers found that the SarinLocker ransomware was being sold by NecroSys, a prominent member of FusionCore.
SarinLocker ransomware
Besides encrypting system data, the current version of the software – SarinLocker (v1.0) also exfiltrates the target’s Telegram information. According to a Cyware report, SarinLocker Ransomware is being offered at at $20 for a month and $100 for a lifetime
The updated version of SarinLocker was developed after the previous version had a vulnerability that allowed guessing its password using a brute force attack.
Key findings about SarinLocker ransomware
- SarinLocker ransomware encrypts files using a 256 bits key size with a block size of 128 bits.
- NecroSys announced the creation of SarinLocker v2.0 in December 2022. This version is said to require a longer decryption key.
- SarinLocker was found incapable of performing the tasks mentioned in its underground forum advertisement.
- The encrypted files are renamed with the ‘SARIN.XXX’ extension.
- Victims are sent a ransomware message on their Telegram channel as well besides leaving a ransom note.
Technical details of SarinLocker ransomware
Upon analyzing the sample of SarinLocker, it was found to be a 32-bit PE file with a GUI subsystem. The binary was written in .NET and it was compiled around March 7, 2023.
The flow maintained by SarinLocker ransomware is as follows –
- SHA1 File Hash found was 856707241a7624681d6a46b2fa279bd56aa6438a
- MD5 File Hash was 4cdd313daa831401382beac13bea4f00
- SarinLocker retrieves the startup path of its execution and sets its attributes to be hidden to not be visible in the file explorer.
- Calling the StartEncryption module, it encrypts files in the user directory and drives on the device.
- It steals user data including the username and creates a path in the user’s directory.
- After calling the EncryptDirectory method, SarinLocker ransomware encrypts all the user’s directory files after checking through the drives. It also checks for each subdirectory for encryption.
- The SarinLocker ransomware checks for extensions of files that it is programmed to encrypt and attacks only those files. Some of the extensions are –
- .txt
- .dotx
- .docm
- .bat
- .jpeg
- .zip
- .vbs
- .ico
- .png
- .mp4
The cybercriminal group behind SarinLocker ransomware
FusionCore functions as a Malware-as-a-Service group with extended hacker-for-hire services.
They were often found using open-source tools for developing their malware toolkit. The group is expected to add more affiliates as part of the AntraXXXLocker program.